LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Adjust iptables to only inbound syn connections (http://www.linuxquestions.org/questions/linux-security-4/adjust-iptables-to-only-inbound-syn-connections-873640/)

guga0001 04-07-2011 03:48 PM

Adjust iptables to only inbound syn connections
 
Hi, I need some help. I'm trying to adjust the firewall to only inbound syn connections. To Allow all home subnets access to port 53 both tcp/udp but deny the rest.

Thx

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

amonamarth 04-07-2011 08:02 PM

This will do what you need, it's not in Redhat's iptables script format, but you'll get the idea.

# Variables
IPADDR = "Your IP address"
HOME_SUBNET = "192.168.1.0/24" # Specify your home subnet here.

# Removing existing rules
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

# Set the default policy for the filter table to DROP
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

# Allowing unlimited trafic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Put this inside conditional, just in case connection tracking is not enabled in kernel
if [ "$CONNECTION_TRACKING" = "1" ]; then
# Allowing established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
fi

# Allowing all traffic to port 53 from HOME_SUBNET
iptables -A INPUT -i eth0 -d $IPADDR --dport 53 -j ACCEPT
iptables -A OUTPUT -o eth0 -s $IPADDR --sport 53 -j ACCEPT


All times are GMT -5. The time now is 05:35 AM.